Friday, November 2, 2007

You know, it's a little frustrating to have taken exams with hundreds of questions about the obscurities and specifics of information security just so that I can prove that I know my stuff. I get these little letters after my name that impress the HR drones. That’s right I’m am information security professional! Banded together we geeks can enjoy a lively conversation on encryption for data at rest across disparate systems...“If we make cipher text on a system in an ASCII character set then transport it to a system using EBCDIC...” and so we digress. Ah, the upper echelon of geekdom.

However, it’s the simple stuff that makes or breaks your information security program. In the news recently was a decent account of the “Khaki Bandit” and his ability to walk right into a corporate setting and fill his bag with their laptops – and then walk right back out. Better yet, there’s an account here where a reporter walked into a major mail sorting facility in the UK and took up a position by simply claiming he already worked there.

In both incidents simple procedures could and would have stopped these individuals in their tracks. Sadly, neither was asked for proper ID nor escorted to their purported hosts. I’m not aware of any major loses or data breaches directly linked to these events, still both had the potential to wreak havoc on an organization and its clientèle. Not to mention its public image and brand trustworthiness.

Every organization should take a look at these stories and ask “what if?” Of course smaller organizations will have an easier time addressing unknown individuals while larger ones will struggle with adequate controls. However, it’s all about the simple controls – “Who are you? Who are you here to see? I’ll call to make sure they’re in. This person will escort you to them.” Funny, that reminds me of my introduction to Kerberos.